I am studying for the CEH and I ran accross this problem on a forum. Here is the questoin

You are having problems while retrieving results after performing port scanning during internal testing. You verify that there are no security devices between you and the target system. When both stealth and connect scanning do not work you decieded to perform a NULL scan with NMAP. The first few systems scanned show all opened ports. Which of the following statements is probley true?

A. The systems have all opened portsB. The systems are running a hosed based IDSc. The systems are web servers.D. The systems are runing windows

The forum says that the answer is D but when I do a null scan of a windows computer, I get all ports are closed. Am I wrong with saying that all ports are closed when I scan a Windows computer with the null swich?

Thanks Tim

-How important does a person have to be before they are considered assassinated instead of just murdered?

TomJones wrote:Am I wrong with saying that all ports are closed when I scan a Windows computer with the null swich?

Yes, you are wrong. Perhaps this quote from the nmap man pages will show you why. Note the part that I've highlighted.

-sN; -sF; -sX (TCP Null, FIN, and Xmas scans)

These three scan types (even more are possible with the --scanflags option described in the next section) exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports. Page 65 says that “if the [destination] port state is CLOSED .... an incoming segment not containing a RST causes a RST to be sent in response.” Then the next page discusses packets sent to open ports without the SYN, RST, or ACK bits set, stating that: “you are unlikely to get here, but if you do, drop the segment, and return.”

When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK. Nmap exploits this with three scan types:

Null scan (-sN)

Does not set any bits (tcp flag header is 0) FIN scan (-sF)

Sets just the TCP FIN bit. Xmas scan (-sX)

Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

These three scan types are exactly the same in behavior except for the TCP flags set in probe packets. If a RST packet is received, the port is considered closed, while no response means it is open|filtered. The port is marked filtered if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received.

The key advantage to these scan types is that they can sneak through certain non-stateful firewalls and packet filtering routers. Another advantage is that these scan types are a little more stealthy than even a SYN scan. Don't count on this though -- most modern IDS products can be configured to detect them. The big downside is that not all systems follow RFC 793 to the letter. A number of systems send RST responses to the probes regardless of whether the port is open or not. This causes all of the ports to be labeled closed. Major operating systems that do this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400. This scan does work against most UNIX-based systems though. Another downside of these scans is that they can't distinguish open ports from certain filtered ones, leaving you with the response open|filtered.

Last edited by Negrita on Wed Jul 19, 2006 5:42 pm, edited 1 time in total.

CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.

Negrita wrote:The big downside is that not all systems follow RFC 793 to the letter. A number of systems send RST responses to the probes regardless of whether the port is open or not. This causes all of the ports to be labeled closed. Major operating systems that do this are Microsoft Windows,.

OK but the question said that all the ports are opened, and the output of a null scan targeting a windows box is all closed, is this correct?

Tom

-How important does a person have to be before they are considered assassinated instead of just murdered?

Maybe there is a typo. The question states that the ports are all open, but the reasoning for the answer states that they are all closed. I would look at the original wording of the question and get it in your mind that the scan showed all ports as being open. Then answer 'D' is correct but with a caveat. If it were really specific, the answer should read that it is a 'modern' Windows Box - IE Win2K or above.